From 6bd547d1f444a45c4e41f1664d15c73b0c7cedd1 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 11:53:55 -0500 Subject: [PATCH 01/13] perf: use a single snapshot for all functions --- main.cpp | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/main.cpp b/main.cpp index 429fe48..bcd21ce 100644 --- a/main.cpp +++ b/main.cpp @@ -108,7 +108,7 @@ thread_local std::string currentParentExe = ""; // to store the name of our own std::string WideToString(const std::wstring& wstr); -void EnsureCurrentParentExe() { +void EnsureCurrentParentExe(hSnapshot) { if (!currentParentExe.empty()) return; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); @@ -311,8 +311,8 @@ std::string GetReadableFileTime(DWORD pid) { return oss.str(); } -void PrintErrorHints(int errorCode) { - EnsureCurrentParentExe(); +void PrintErrorHints(int errorCode, hshot) { + EnsureCurrentParentExe(hshot); // Use our little lookup table to give hints for specific errors if (errorHints.find(errorCode) != errorHints.end()) { if (IsVirtualTerminalModeEnabled()) { @@ -1490,7 +1490,7 @@ return WideToString(stringBuffer); #endif } -void PrintAncestry(DWORD pid) { +void PrintAncestry(DWORD pid, hSnapshot) { // now we're geting the name // we're making it slower by adding a bunch of snapshots // but again, we'll optimize and refactor later, i need this to work first @@ -1512,9 +1512,8 @@ UPDATE: This is done now!! PROCESSENTRY32 pe32{}; pe32.dwSize = sizeof(PROCESSENTRY32); DWORD parentPid = 0; - HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (hSnapshot == INVALID_HANDLE_VALUE) return; + DWORD currentProcessId = GetCurrentProcessId(); // checking our own process DWORD currentParentPid = 0; @@ -1727,7 +1726,7 @@ void FindProcessPorts(DWORD targetPid) { -void PIDinspect(const std::vector& pids, const std::vector& names) { // ooh guys look i'm in the void +void PIDinspect(const std::vector& pids, const std::vector& names, hshot) { // ooh guys look i'm in the void DWORD pid = pids[0]; std::string procName = GetProcessNameFromPid(pid); if (IsVirtualTerminalModeEnabled()) { @@ -1782,7 +1781,7 @@ void PIDinspect(const std::vector& pids, const std::vector& } if (queryError) { - PrintErrorHints(errorCode); + PrintErrorHints(errorCode, hshot); } @@ -1813,7 +1812,7 @@ void PIDinspect(const std::vector& pids, const std::vector& << "\n Maybe Access is Denied or the process is running entirely in RAM." << std::endl; } if (queryError) { - PrintErrorHints(errorCode); + PrintErrorHints(errorCode, hshot); // it might seem like overkill to call the function every time there's an error, // but if you remember we have a fallback for opening processes, so there are multiple // places where an error can occur. @@ -1925,7 +1924,7 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin } else { std::cout << "\nWhy It Exists:\n"; } - PrintAncestry(pid); + PrintAncestry(pid, hshot); FindProcessPorts(pid); @@ -1989,17 +1988,15 @@ struct ProcInfos { std::vector pids; }; -ProcInfos findMyProc(const char *procname) { +ProcInfos findMyProc(const char *procname, hSnapshot) { - HANDLE hSnapshot; + PROCESSENTRY32 pe; ProcInfos result; BOOL hResult; - // snapshot of all processes in the system - hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hSnapshot) return {}; + // initializing size: needed for using Process32First pe.dwSize = sizeof(PROCESSENTRY32); @@ -2142,8 +2139,11 @@ int main(int argc, char* argv[]) { std::vector trash; trash.push_back(""); pids.push_back(static_cast(pid));// function requires it to be a list even if only 1 is passed - - PIDinspect(pids, trash); + // snapshot of all processes in the system first so we can pass it to every function from there on + + HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (INVALID_HANDLE_VALUE == hSnapshot) return {}; + PIDinspect(pids, trash, hshot); } else { if (IsVirtualTerminalModeEnabled()) { // ugh i have to do this EVERY SINGLE TIME std::cerr << "\033[1;31mError:\033[0m --pid option requires an argument." << std::endl; @@ -2161,10 +2161,12 @@ int main(int argc, char* argv[]) { // check for process name if no recognized flags else if (arg[0] != '-') { // if it doesn't start with -- or - std::string procName = arg; - ProcInfos r = findMyProc(procName.c_str()); + HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (INVALID_HANDLE_VALUE == hSnapshot) return {}; + ProcInfos r = findMyProc(procName.c_str(), hshot); if (!r.pids.empty()) { std::vector dwPids(r.pids.begin(), r.pids.end()); - PIDinspect(dwPids, r.names); + PIDinspect(dwPids, r.names, hshot); } else { if (IsVirtualTerminalModeEnabled()) { std::cerr << "\033[1;31mError:\033[0m Could not find process with name " << procName << "." << std::endl; From 5dfc5989e3545a4459ca29fac305cdd91888177e Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 11:57:51 -0500 Subject: [PATCH 02/13] fix: try fix compile errors --- main.cpp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/main.cpp b/main.cpp index bcd21ce..1e2d024 100644 --- a/main.cpp +++ b/main.cpp @@ -111,8 +111,7 @@ std::string WideToString(const std::wstring& wstr); void EnsureCurrentParentExe(hSnapshot) { if (!currentParentExe.empty()) return; - HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (hSnapshot == INVALID_HANDLE_VALUE) return; + PROCESSENTRY32 pe32{}; pe32.dwSize = sizeof(PROCESSENTRY32); @@ -2142,7 +2141,7 @@ int main(int argc, char* argv[]) { // snapshot of all processes in the system first so we can pass it to every function from there on HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hSnapshot) return {}; + if (INVALID_HANDLE_VALUE == hSnapshot) {return {}}; PIDinspect(pids, trash, hshot); } else { if (IsVirtualTerminalModeEnabled()) { // ugh i have to do this EVERY SINGLE TIME @@ -2162,7 +2161,7 @@ int main(int argc, char* argv[]) { else if (arg[0] != '-') { // if it doesn't start with -- or - std::string procName = arg; HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hSnapshot) return {}; + if (INVALID_HANDLE_VALUE == hSnapshot) {return {}}; ProcInfos r = findMyProc(procName.c_str(), hshot); if (!r.pids.empty()) { std::vector dwPids(r.pids.begin(), r.pids.end()); From 1f83782d75fd78429b95e9703d952866ec1fcb2b Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 12:07:12 -0500 Subject: [PATCH 03/13] fix: errorosroororsr --- main.cpp | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/main.cpp b/main.cpp index 1e2d024..ecd1189 100644 --- a/main.cpp +++ b/main.cpp @@ -108,7 +108,7 @@ thread_local std::string currentParentExe = ""; // to store the name of our own std::string WideToString(const std::wstring& wstr); -void EnsureCurrentParentExe(hSnapshot) { +void EnsureCurrentParentExe(HANDLE hSnapshot) { if (!currentParentExe.empty()) return; @@ -140,7 +140,7 @@ void EnsureCurrentParentExe(hSnapshot) { } } - CloseHandle(hSnapshot); + } @@ -310,7 +310,7 @@ std::string GetReadableFileTime(DWORD pid) { return oss.str(); } -void PrintErrorHints(int errorCode, hshot) { +void PrintErrorHints(int errorCode, HANDLE hshot) { EnsureCurrentParentExe(hshot); // Use our little lookup table to give hints for specific errors if (errorHints.find(errorCode) != errorHints.end()) { @@ -430,11 +430,8 @@ std::optional GetUserNameFromProcess(DWORD id) // Permalink: https://stackoverflow.com/a/73242956 // Thanks! -std::string GetProcessNameFromPid(DWORD pid) { - HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (snapshot == INVALID_HANDLE_VALUE) { - return ""; // vroken - } +std::string GetProcessNameFromPid(DWORD pid, HANDLE snapshot) { + PROCESSENTRY32 pe{}; pe.dwSize = sizeof(PROCESSENTRY32); @@ -442,13 +439,13 @@ std::string GetProcessNameFromPid(DWORD pid) { if (Process32First(snapshot, &pe)) { do { if (pe.th32ProcessID == pid) { - CloseHandle(snapshot); + return WideToString(pe.szExeFile); } } while (Process32Next(snapshot, &pe)); } - CloseHandle(snapshot); + return ""; } @@ -1725,9 +1722,9 @@ void FindProcessPorts(DWORD targetPid) { -void PIDinspect(const std::vector& pids, const std::vector& names, hshot) { // ooh guys look i'm in the void +void PIDinspect(const std::vector& pids, const std::vector& names, HANDLE hshot) { // ooh guys look i'm in the void DWORD pid = pids[0]; - std::string procName = GetProcessNameFromPid(pid); + std::string procName = GetProcessNameFromPid(pid, hshot); if (IsVirtualTerminalModeEnabled()) { if (procName == ""){ std::cout << "\033[34mTarget:\033[0m N/A\n\033[34mProcess:\033[0m N/A\n"; @@ -1987,7 +1984,7 @@ struct ProcInfos { std::vector pids; }; -ProcInfos findMyProc(const char *procname, hSnapshot) { +ProcInfos findMyProc(const char *procname, HANDLE hSnapshot) { PROCESSENTRY32 pe; @@ -2034,8 +2031,7 @@ ProcInfos findMyProc(const char *procname, hSnapshot) { hResult = Process32Next(hSnapshot, &pe); } - // closes an open handle (CreateToolhelp32Snapshot) - CloseHandle(hSnapshot); + return result; } // The above function is taken from https://cocomelonc.github.io/pentest/2021/09/29/findmyprocess.html, modified simply to use WideToString for the process name comparison among other things. @@ -2143,6 +2139,7 @@ int main(int argc, char* argv[]) { HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (INVALID_HANDLE_VALUE == hSnapshot) {return {}}; PIDinspect(pids, trash, hshot); + CloseHandle(hshot); } else { if (IsVirtualTerminalModeEnabled()) { // ugh i have to do this EVERY SINGLE TIME std::cerr << "\033[1;31mError:\033[0m --pid option requires an argument." << std::endl; @@ -2166,6 +2163,7 @@ int main(int argc, char* argv[]) { if (!r.pids.empty()) { std::vector dwPids(r.pids.begin(), r.pids.end()); PIDinspect(dwPids, r.names, hshot); + CloseHandle(hshot); } else { if (IsVirtualTerminalModeEnabled()) { std::cerr << "\033[1;31mError:\033[0m Could not find process with name " << procName << "." << std::endl; From 0cdf5f873f8b125d7e76356f49c9dbab0b6bf873 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 12:10:16 -0500 Subject: [PATCH 04/13] ihtviuewrthiret09eryunt9yripuhtr --- main.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.cpp b/main.cpp index ecd1189..799bdc0 100644 --- a/main.cpp +++ b/main.cpp @@ -1486,7 +1486,7 @@ return WideToString(stringBuffer); #endif } -void PrintAncestry(DWORD pid, hSnapshot) { +void PrintAncestry(DWORD pid, HANDLE hSnapshot) { // now we're geting the name // we're making it slower by adding a bunch of snapshots // but again, we'll optimize and refactor later, i need this to work first From 46102671ff41f783c11226b831045a6443c2cdef Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 12:13:19 -0500 Subject: [PATCH 05/13] =?UTF-8?q?&&&&&&&&&&&&&&&&&&&&&&&&=F0=9F=A4=A1?= =?UTF-8?q?=F0=9F=98=A4=F0=9F=A4=AC=F0=9F=98=A1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.cpp b/main.cpp index 799bdc0..dd3757f 100644 --- a/main.cpp +++ b/main.cpp @@ -2137,7 +2137,7 @@ int main(int argc, char* argv[]) { // snapshot of all processes in the system first so we can pass it to every function from there on HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hSnapshot) {return {}}; + if (INVALID_HANDLE_VALUE == hshot) {return {};} PIDinspect(pids, trash, hshot); CloseHandle(hshot); } else { @@ -2158,7 +2158,7 @@ int main(int argc, char* argv[]) { else if (arg[0] != '-') { // if it doesn't start with -- or - std::string procName = arg; HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hSnapshot) {return {}}; + if (INVALID_HANDLE_VALUE == hshot) {return {};} ProcInfos r = findMyProc(procName.c_str(), hshot); if (!r.pids.empty()) { std::vector dwPids(r.pids.begin(), r.pids.end()); From 843a74c4d8e4a4703c16a27153ea864150e9c09d Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 18:56:00 +0000 Subject: [PATCH 06/13] refactor: Optimize process snapshot handling using a map for improved performance --- main.cpp | 90 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/main.cpp b/main.cpp index dd3757f..d2f9962 100644 --- a/main.cpp +++ b/main.cpp @@ -1504,9 +1504,17 @@ UPDATE: This is done now!! - + // Build a PID→process map ONCE instead of walking 3 times + std::unordered_map pidMap; PROCESSENTRY32 pe32{}; pe32.dwSize = sizeof(PROCESSENTRY32); + + if (Process32First(hSnapshot, &pe32)) { + do { + pidMap[pe32.th32ProcessID] = pe32; + } while (Process32Next(hSnapshot, &pe32)); + } + DWORD parentPid = 0; @@ -1514,14 +1522,12 @@ UPDATE: This is done now!! DWORD currentProcessId = GetCurrentProcessId(); // checking our own process DWORD currentParentPid = 0; - if (Process32First(hSnapshot, &pe32)) { // here, we're gonna use the existing snapshot so it doesn't use another - do { - // it shouldn't harm performance, but even if it does, I want to get - // the features done first before optimizing anything - if (pe32.th32ProcessID == currentProcessId) { - break; - } - } while (Process32Next(hSnapshot, &pe32)); + // here, we're gonna use the existing snapshot so it doesn't use another + // it shouldn't harm performance, but even if it does, I want to get + // the features done first before optimizing anything + auto currentIt = pidMap.find(currentProcessId); + if (currentIt != pidMap.end()) { + pe32 = currentIt->second; } DWORD targetpid = pid; // the function already passes pid into us, but @@ -1534,34 +1540,30 @@ UPDATE: This is done now!! bool found = false; while (pid != 0 && pid != 4) { found = false; - if (Process32First(hSnapshot, &pe32)) { - do { - if (pe32.th32ProcessID == pid) { - // Without comments, this literally looks like alien gibberish so lemme explain - - ULONGLONG creationTime = GetProcessCreationTime(pid); // this stores the creation time of the CURRENT pid (not parent) - exeTimes.emplace_back(creationTime); // immediately stores the above to the list - exeName = WideToString(pe32.szExeFile); //this stores the NAME of the current pid, converted to something that the terminal won't choke and die on - exeNames.emplace_back(exeName); // this adds the above to the name list - pidNames.emplace_back(pid); // this adds the current pid (no need to store in var as already passed into if) - - parentPid = pe32.th32ParentProcessID; // this gets the pid of the PARENT pid (if there hopefully is one) - parentPids.emplace_back(pe32.th32ParentProcessID); // adds above to list - ULONGLONG parentTime = GetProcessCreationTime(parentPid); // this gets the creation time of that one - - if (parentPid == 0 || parentPid == 4 || parentTime == 0 || parentTime >= creationTime) { - // we can't be sure if the parent actually exists and windows isn't lying to us, - // so always double check - pid = 0; - } else { - - pid = parentPid; - } - found = true; - break; - } - } while (Process32Next(hSnapshot, &pe32)); + auto it = pidMap.find(pid); + if (it != pidMap.end()) { + const PROCESSENTRY32& entry = it->second; + // Without comments, this literally looks like alien gibberish so lemme explain + + ULONGLONG creationTime = GetProcessCreationTime(pid); // this stores the creation time of the CURRENT pid (not parent) + exeTimes.emplace_back(creationTime); // immediately stores the above to the list + exeName = WideToString(entry.szExeFile); //this stores the NAME of the current pid, converted to something that the terminal won't choke and die on + exeNames.emplace_back(exeName); // this adds the above to the name list + pidNames.emplace_back(pid); // this adds the current pid (no need to store in var as already passed into if) + + parentPid = entry.th32ParentProcessID; // this gets the pid of the PARENT pid (if there hopefully is one) + parentPids.emplace_back(entry.th32ParentProcessID); // adds above to list + ULONGLONG parentTime = GetProcessCreationTime(parentPid); // this gets the creation time of that one + + if (parentPid == 0 || parentPid == 4 || parentTime == 0 || parentTime >= creationTime) { + // we can't be sure if the parent actually exists and windows isn't lying to us, + // so always double check + pid = 0; + } else { + pid = parentPid; + } + found = true; } if (!found) break; @@ -1572,8 +1574,8 @@ UPDATE: This is done now!! // Checking if the parent is alive, because, well, since the target IS the parent, // it must be alive. int children = 0; // i wonder what would happen if you could set an emoji as var name - if (Process32First(hSnapshot, &pe32)) { - do { + for (const auto& pair : pidMap) { + const PROCESSENTRY32& entry = pair.second; // this time, our target pid is already stored at the very top of our list. // this means we don't have to add target pid stuff. @@ -1581,16 +1583,16 @@ UPDATE: This is done now!! // the previous loop, since emplacing to the front requires shifting the entire list // and therefore is inefficient, robbing us of a couple milliseconds of precious cpu time :( - if (pe32.th32ParentProcessID == targetpid) { - exeName = WideToString(pe32.szExeFile); // this stores the name of our pid we're looking at in a var + if (entry.th32ParentProcessID == targetpid) { + exeName = WideToString(entry.szExeFile); // this stores the name of our pid we're looking at in a var exeNames.emplace(exeNames.begin(), exeName); // this adds this to the front of the list // in this case, we are adding stuff to the front of the list, since we're looking at children // you might've noticed this doesn't have an emplace_front() like emplace_back() since // it's inefficient and the creators of the vector lib didn't do it - pidNames.emplace(pidNames.begin(), pe32.th32ProcessID); - ULONGLONG childTime = GetProcessCreationTime(pe32.th32ProcessID); + pidNames.emplace(pidNames.begin(), entry.th32ProcessID); + ULONGLONG childTime = GetProcessCreationTime(entry.th32ProcessID); exeTimes.emplace(exeTimes.begin(), childTime); // we don't even use this but we need to keep all the vectors the same length - parentPids.emplace(parentPids.begin(), pe32.th32ProcessID); // just fill it up, we aren't using it + parentPids.emplace(parentPids.begin(), entry.th32ProcessID); // just fill it up, we aren't using it children++; // keeps track of how many children we have (that sounds wrong when you say it) } @@ -1598,8 +1600,6 @@ UPDATE: This is done now!! - } while (Process32Next(hSnapshot, &pe32)); - } From daca8933cc338d06016335fa46663457d8a54c26 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 15:24:08 -0500 Subject: [PATCH 07/13] perf: remove entire exeTimes vector to save time --- main.cpp | 41 ++++++++++++++++------------------------- 1 file changed, 16 insertions(+), 25 deletions(-) diff --git a/main.cpp b/main.cpp index d2f9962..b603729 100644 --- a/main.cpp +++ b/main.cpp @@ -1533,10 +1533,10 @@ UPDATE: This is done now!! DWORD targetpid = pid; // the function already passes pid into us, but // just to be safe that pid doesn't get overwritten in the loop below std::string exeName = "Unknown/Dead Process"; - std::vector exeNames; - std::vector exeTimes; // sorry for the crap code but idk how to make multidimensional arrays yet 😭😭😭 + std::vector exeNames; // sorry for the crap code but idk how to make multidimensional arrays yet 😭😭😭 std::vector pidNames; // hopefully the compiler can fix it std::vector parentPids; + ULONGLONG creationTime = GetProcessCreationTime(pid); bool found = false; while (pid != 0 && pid != 4) { found = false; @@ -1544,16 +1544,13 @@ UPDATE: This is done now!! if (it != pidMap.end()) { const PROCESSENTRY32& entry = it->second; // Without comments, this literally looks like alien gibberish so lemme explain - - ULONGLONG creationTime = GetProcessCreationTime(pid); // this stores the creation time of the CURRENT pid (not parent) - exeTimes.emplace_back(creationTime); // immediately stores the above to the list + exeName = WideToString(entry.szExeFile); //this stores the NAME of the current pid, converted to something that the terminal won't choke and die on exeNames.emplace_back(exeName); // this adds the above to the name list pidNames.emplace_back(pid); // this adds the current pid (no need to store in var as already passed into if) parentPid = entry.th32ParentProcessID; // this gets the pid of the PARENT pid (if there hopefully is one) parentPids.emplace_back(entry.th32ParentProcessID); // adds above to list - ULONGLONG parentTime = GetProcessCreationTime(parentPid); // this gets the creation time of that one if (parentPid == 0 || parentPid == 4 || parentTime == 0 || parentTime >= creationTime) { // we can't be sure if the parent actually exists and windows isn't lying to us, @@ -1573,6 +1570,12 @@ UPDATE: This is done now!! // tells us that our target pid is it's parent. This time, we don't have to worry about // Checking if the parent is alive, because, well, since the target IS the parent, // it must be alive. + // now we need to reverse all the vector lists we made so + // that the ancestry tree is correctly diisplayed from root to children like witr + // in c++20 there is a new way to reverse called ranges or smth but i won't use that + std::reverse(exeNames.begin(), exeNames.end()); + std::reverse(pidNames.begin(), pidNames.end()); + std::reverse(parentPids.begin(), parentPids.end()); int children = 0; // i wonder what would happen if you could set an emoji as var name for (const auto& pair : pidMap) { const PROCESSENTRY32& entry = pair.second; @@ -1585,14 +1588,9 @@ UPDATE: This is done now!! if (entry.th32ParentProcessID == targetpid) { exeName = WideToString(entry.szExeFile); // this stores the name of our pid we're looking at in a var - exeNames.emplace(exeNames.begin(), exeName); // this adds this to the front of the list - // in this case, we are adding stuff to the front of the list, since we're looking at children - // you might've noticed this doesn't have an emplace_front() like emplace_back() since - // it's inefficient and the creators of the vector lib didn't do it - pidNames.emplace(pidNames.begin(), entry.th32ProcessID); - ULONGLONG childTime = GetProcessCreationTime(entry.th32ProcessID); - exeTimes.emplace(exeTimes.begin(), childTime); // we don't even use this but we need to keep all the vectors the same length - parentPids.emplace(parentPids.begin(), entry.th32ProcessID); // just fill it up, we aren't using it + exeNames.emplace_back(exeName); = + pidNames.emplace_back(entry.th32ProcessID); + parentPids.emplace_back(entry.th32ProcessID); // just fill it up, we aren't using it children++; // keeps track of how many children we have (that sounds wrong when you say it) } @@ -1603,15 +1601,8 @@ UPDATE: This is done now!! } -CloseHandle(hSnapshot); // we're only closing the handle until we finish messing with the snapshot - //phew thankfully we're done with that mess - // now we need to reverse all the vector lists we made so - // that the ancestry tree is correctly diisplayed from root to children like witr - // in c++20 there is a new way to reverse called ranges or smth but i won't use that - std::reverse(exeNames.begin(), exeNames.end()); - std::reverse(exeTimes.begin(), exeTimes.end()); - std::reverse(pidNames.begin(), pidNames.end()); - std::reverse(parentPids.begin(), parentPids.end()); + + // now get the size of one of the lists to know how many we got (they should all be the same length) size_t nameSize = exeNames.size(); @@ -2137,7 +2128,7 @@ int main(int argc, char* argv[]) { // snapshot of all processes in the system first so we can pass it to every function from there on HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hshot) {return {};} + if (INVALID_HANDLE_VALUE == hshot) {return 1;} PIDinspect(pids, trash, hshot); CloseHandle(hshot); } else { @@ -2158,7 +2149,7 @@ int main(int argc, char* argv[]) { else if (arg[0] != '-') { // if it doesn't start with -- or - std::string procName = arg; HANDLE hshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (INVALID_HANDLE_VALUE == hshot) {return {};} + if (INVALID_HANDLE_VALUE == hshot) {return 1;} ProcInfos r = findMyProc(procName.c_str(), hshot); if (!r.pids.empty()) { std::vector dwPids(r.pids.begin(), r.pids.end()); From 34c439ca0c719f7859ec90d34ce3433d3cdde783 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 15:25:27 -0500 Subject: [PATCH 08/13] fix: missing time --- main.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/main.cpp b/main.cpp index b603729..566e7f3 100644 --- a/main.cpp +++ b/main.cpp @@ -1551,6 +1551,7 @@ UPDATE: This is done now!! parentPid = entry.th32ParentProcessID; // this gets the pid of the PARENT pid (if there hopefully is one) parentPids.emplace_back(entry.th32ParentProcessID); // adds above to list + ULONGLONG parentTime = GetProcessCreationTime(entry.th32ParentProcessID); if (parentPid == 0 || parentPid == 4 || parentTime == 0 || parentTime >= creationTime) { // we can't be sure if the parent actually exists and windows isn't lying to us, From 6fb0555c0d305e599debcbe39cb37af5e0440298 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 15:40:00 -0500 Subject: [PATCH 09/13] fix: stray equal sign --- main.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.cpp b/main.cpp index 566e7f3..8a45a61 100644 --- a/main.cpp +++ b/main.cpp @@ -1589,7 +1589,7 @@ UPDATE: This is done now!! if (entry.th32ParentProcessID == targetpid) { exeName = WideToString(entry.szExeFile); // this stores the name of our pid we're looking at in a var - exeNames.emplace_back(exeName); = + exeNames.emplace_back(exeName); pidNames.emplace_back(entry.th32ProcessID); parentPids.emplace_back(entry.th32ProcessID); // just fill it up, we aren't using it children++; // keeps track of how many children we have (that sounds wrong when you say it) From b68348e05483e541c32202a40d7e73ff9b055c85 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 15:58:47 -0500 Subject: [PATCH 10/13] perf: pidMap Use emplace instead of copy assignment --- main.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.cpp b/main.cpp index 8a45a61..452698a 100644 --- a/main.cpp +++ b/main.cpp @@ -1511,7 +1511,7 @@ UPDATE: This is done now!! if (Process32First(hSnapshot, &pe32)) { do { - pidMap[pe32.th32ProcessID] = pe32; + pidMap.emplace(pe32.th32ProcessID, pe32); } while (Process32Next(hSnapshot, &pe32)); } From ed4b19edf9135e331b67d153ad43d231f14792cc Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 21:04:57 +0000 Subject: [PATCH 11/13] perf: cache vt terminal so only call once --- main.cpp | 197 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 99 insertions(+), 98 deletions(-) diff --git a/main.cpp b/main.cpp index 452698a..92171eb 100644 --- a/main.cpp +++ b/main.cpp @@ -314,7 +314,7 @@ void PrintErrorHints(int errorCode, HANDLE hshot) { EnsureCurrentParentExe(hshot); // Use our little lookup table to give hints for specific errors if (errorHints.find(errorCode) != errorHints.end()) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cerr << "\033[1;33mHint:\033[0m " << errorHints[errorCode] << std::endl; } else { std::cerr << "Hint: " << errorHints[errorCode] << std::endl; @@ -455,7 +455,7 @@ std::string GetCommandLine(HANDLE hproc) { BOOL isWow64 = FALSE; if (!IsWow64Process(hproc, &isWow64)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:wow64checkfail)\033[0m"; } else { return "Failed to Access (wwitr:wow64checkfail)"; @@ -471,7 +471,7 @@ if (!isWoW64) { typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -492,7 +492,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { // so the handle gets passed to this function and we don't need to clean up our handle just yet, just return // but we still should add a cout to see where it failed - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; // failure } else { return "Failed to Access (wwitr:ntqueryfailed)"; // failure @@ -505,7 +505,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -515,7 +515,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x70, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -530,7 +530,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -550,7 +550,7 @@ return WideToString(stringBuffer); // and I think it's only slow in python auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -560,7 +560,7 @@ return WideToString(stringBuffer); ULONG_PTR peb32Address = 0; NTSTATUS status = queryInfo(hproc, ProcessWow64Information, &peb32Address, sizeof(peb32Address), NULL); if (status != 0 || peb32Address == 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -569,7 +569,7 @@ return WideToString(stringBuffer); ULONG procParamPtr32 = 0; if (!ReadProcessMemory(hproc, (BYTE*)peb32Address + 0x10, &procParamPtr32, sizeof(procParamPtr32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -578,7 +578,7 @@ return WideToString(stringBuffer); UNICODE_STRING32 cmdLStruct32{}; if (!ReadProcessMemory(hproc, (BYTE*)(ULONG_PTR)procParamPtr32 + 0x40, &cmdLStruct32, sizeof(cmdLStruct32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -593,7 +593,7 @@ return WideToString(stringBuffer); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, (PVOID)(ULONG_PTR)cmdLStruct32.Buffer, buffer.data(), cmdLStruct32.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -624,7 +624,7 @@ return WideToString(stringBuffer); typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -634,7 +634,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -644,7 +644,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; //for wow64 processes, the offset is different if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -654,7 +654,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x40, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -669,7 +669,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -700,7 +700,7 @@ return WideToString(stringBuffer); typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -710,7 +710,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -720,7 +720,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; //for wow64 processes, the offset is different if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -730,7 +730,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x40, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -745,7 +745,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -775,7 +775,7 @@ return WideToString(stringBuffer); auto readMem64 = (pNtWow64ReadVirtualMemory64)GetProcAddress(ntdll, "NtWow64ReadVirtualMemory64"); if (!queryInfo64 || !readMem64) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -799,7 +799,7 @@ return WideToString(stringBuffer); ULONG64 peb64Address = pbi64.PebBaseAddress; if (status != 0 || peb64Address == 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -810,7 +810,7 @@ return WideToString(stringBuffer); status = readMem64(targetHandle, peb64Address + 0x20, &procParamPtr64, sizeof(procParamPtr64), NULL); if (status != 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -821,7 +821,7 @@ return WideToString(stringBuffer); status = readMem64(targetHandle, procParamPtr64 + 0x70, &cmdLStruct64, sizeof(cmdLStruct64), NULL); if (status != 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -838,7 +838,7 @@ return WideToString(stringBuffer); status = readMem64(targetHandle, cmdLStruct64.Buffer, buffer.data(), cmdLStruct64.Length, NULL); if (status != 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -861,7 +861,7 @@ return WideToString(stringBuffer); //idk i don't use no surface laptops BOOL isWow64 = FALSE; if (!IsWow64Process(hproc, &isWow64)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:wow64checkfail)\033[0m"; } else { return "Failed to Access (wwitr:wow64checkfail)"; @@ -875,7 +875,7 @@ typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -885,7 +885,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -894,7 +894,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -904,7 +904,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x70, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -919,7 +919,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -935,7 +935,7 @@ return WideToString(stringBuffer); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -945,7 +945,7 @@ return WideToString(stringBuffer); ULONG_PTR peb32Address = 0; NTSTATUS status = queryInfo(hproc, ProcessWow64Information, &peb32Address, sizeof(peb32Address), NULL); if (status != 0 || peb32Address == 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -954,7 +954,7 @@ return WideToString(stringBuffer); ULONG procParamPtr32 = 0; if (!ReadProcessMemory(hproc, (BYTE*)peb32Address + 0x10, &procParamPtr32, sizeof(procParamPtr32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -963,7 +963,7 @@ return WideToString(stringBuffer); UNICODE_STRING32 cmdLStruct32{}; if (!ReadProcessMemory(hproc, (BYTE*)(ULONG_PTR)procParamPtr32 + 0x40, &cmdLStruct32, sizeof(cmdLStruct32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -978,7 +978,7 @@ return WideToString(stringBuffer); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, (PVOID)(ULONG_PTR)cmdLStruct32.Buffer, buffer.data(), cmdLStruct32.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -989,7 +989,7 @@ return WideToString(stringBuffer); return WideToString(stringBuffer); } #else - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:unknownarch)\033[0m"; } else { return "Failed to Access (wwitr:unknownarch)"; @@ -1012,7 +1012,7 @@ std::string GetWorkingDir(HANDLE hproc) { BOOL isWow64 = FALSE; if (!IsWow64Process(hproc, &isWow64)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:wow64checkfail)\033[0m"; } else { return "Failed to Access (wwitr:wow64checkfail)"; @@ -1025,7 +1025,7 @@ if (!isWoW64) { typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1035,7 +1035,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1044,7 +1044,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1054,7 +1054,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x38, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1069,7 +1069,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1083,7 +1083,7 @@ return WideToString(stringBuffer); } else { auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1093,7 +1093,7 @@ return WideToString(stringBuffer); ULONG_PTR peb32Address = 0; NTSTATUS status = queryInfo(hproc, ProcessWow64Information, &peb32Address, sizeof(peb32Address), NULL); if (status != 0 || peb32Address == 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1102,7 +1102,7 @@ return WideToString(stringBuffer); ULONG procParamPtr32 = 0; if (!ReadProcessMemory(hproc, (BYTE*)peb32Address + 0x10, &procParamPtr32, sizeof(procParamPtr32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1111,7 +1111,7 @@ return WideToString(stringBuffer); UNICODE_STRING32 cmdLStruct32{}; if (!ReadProcessMemory(hproc, (BYTE*)(ULONG_PTR)procParamPtr32 + 0x24, &cmdLStruct32, sizeof(cmdLStruct32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1126,7 +1126,7 @@ return WideToString(stringBuffer); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, (PVOID)(ULONG_PTR)cmdLStruct32.Buffer, buffer.data(), cmdLStruct32.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1143,7 +1143,7 @@ return WideToString(stringBuffer); typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1153,7 +1153,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1162,7 +1162,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1172,7 +1172,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x24, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1187,7 +1187,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1206,7 +1206,7 @@ return WideToString(stringBuffer); typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1216,7 +1216,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1225,7 +1225,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1235,7 +1235,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x10, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x24, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1250,7 +1250,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1267,7 +1267,7 @@ return WideToString(stringBuffer); auto readMem64 = (pNtWow64ReadVirtualMemory64)GetProcAddress(ntdll, "NtWow64ReadVirtualMemory64"); if (!queryInfo64 || !readMem64) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1291,7 +1291,7 @@ return WideToString(stringBuffer); ULONG64 peb64Address = pbi64.PebBaseAddress; if (status != 0 || peb64Address == 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1302,7 +1302,7 @@ return WideToString(stringBuffer); status = readMem64(targetHandle, peb64Address + 0x20, &procParamPtr64, sizeof(procParamPtr64), NULL); if (status != 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1313,7 +1313,7 @@ return WideToString(stringBuffer); status = readMem64(targetHandle, procParamPtr64 + 0x38, &cmdLStruct64, sizeof(cmdLStruct64), NULL); if (status != 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1330,7 +1330,7 @@ return WideToString(stringBuffer); status = readMem64(targetHandle, cmdLStruct64.Buffer, buffer.data(), cmdLStruct64.Length, NULL); if (status != 0) { if (openedHandle) CloseHandle(openedHandle); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1351,7 +1351,7 @@ return WideToString(stringBuffer); BOOL isWow64 = FALSE; if (!IsWow64Process(hproc, &isWow64)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:wow64checkfail)\033[0m"; } else { return "Failed to Access (wwitr:wow64checkfail)"; @@ -1365,7 +1365,7 @@ typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1375,7 +1375,7 @@ if (!queryInfo) { PROCESS_BASIC_INFORMATION pbi; if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1384,7 +1384,7 @@ if (queryInfo(hproc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL) != 0) { PVOID procParamPtr = nullptr; if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, sizeof(PVOID), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1394,7 +1394,7 @@ if (!ReadProcessMemory(hproc, (BYTE*)pbi.PebBaseAddress + 0x20, &procParamPtr, s UNICODE_STRING cmdLStruct; SIZE_T bytesRead2 = 0; if (!ReadProcessMemory(hproc, (BYTE*)procParamPtr + 0x38, &cmdLStruct, sizeof(cmdLStruct), &bytesRead2)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1409,7 +1409,7 @@ size_t wchar_count = cmdLStruct.Length / sizeof(wchar_t); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, cmdLStruct.Buffer, buffer.data(), cmdLStruct.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1424,7 +1424,7 @@ return WideToString(stringBuffer); auto queryInfo = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess"); if (!queryInfo) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:functionptrs)\033[0m"; } else { return "Failed to Access (wwitr:functionptrs)"; @@ -1434,7 +1434,7 @@ return WideToString(stringBuffer); ULONG_PTR peb32Address = 0; NTSTATUS status = queryInfo(hproc, ProcessWow64Information, &peb32Address, sizeof(peb32Address), NULL); if (status != 0 || peb32Address == 0) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:ntqueryfailed)\033[0m"; } else { return "Failed to Access (wwitr:ntqueryfailed)"; @@ -1443,7 +1443,7 @@ return WideToString(stringBuffer); ULONG procParamPtr32 = 0; if (!ReadProcessMemory(hproc, (BYTE*)peb32Address + 0x10, &procParamPtr32, sizeof(procParamPtr32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:procParamPtrRead)\033[0m"; } else { return "Failed to Access (wwitr:procParamPtrRead)"; @@ -1452,7 +1452,7 @@ return WideToString(stringBuffer); UNICODE_STRING32 cmdLStruct32{}; if (!ReadProcessMemory(hproc, (BYTE*)(ULONG_PTR)procParamPtr32 + 0x24, &cmdLStruct32, sizeof(cmdLStruct32), NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:cmdLStructFail)\033[0m"; } else { return "Failed to Access (wwitr:cmdLStructFail)"; @@ -1467,7 +1467,7 @@ return WideToString(stringBuffer); std::vector buffer(wchar_count + 1, 0); if (!ReadProcessMemory(hproc, (PVOID)(ULONG_PTR)cmdLStruct32.Buffer, buffer.data(), cmdLStruct32.Length, NULL)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:bufferReadFail)\033[0m"; } else { return "Failed to Access (wwitr:bufferReadFail)"; @@ -1478,7 +1478,7 @@ return WideToString(stringBuffer); return WideToString(stringBuffer); } #else - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { return "\033[31mFailed to Access (wwitr:unknownarch)\033[0m"; } else { return "Failed to Access (wwitr:unknownarch)"; @@ -1621,13 +1621,13 @@ UPDATE: This is done now!! if (i > 0) { std::cout << " "; // add one indentation att start so it looks cleaner - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[35m└─\033[0m "; // it's the little thingy thing └─ unicode from witr } else { std::cout << "└─ "; }} - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { if (targetpid == pidNames[i]) { std::cout << "\033[1;32m" << exeNames[i] << " (PID " << pidNames[i] << ")" << "\033[0m" << std::endl; } else { @@ -1691,7 +1691,7 @@ void FindProcessPorts(DWORD targetPid) { } if (!listening.empty()) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[1;32mListening\033[0m: \n"; } else { std::cout << "Listening: \n"; @@ -1717,7 +1717,7 @@ void FindProcessPorts(DWORD targetPid) { void PIDinspect(const std::vector& pids, const std::vector& names, HANDLE hshot) { // ooh guys look i'm in the void DWORD pid = pids[0]; std::string procName = GetProcessNameFromPid(pid, hshot); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { if (procName == ""){ std::cout << "\033[34mTarget:\033[0m N/A\n\033[34mProcess:\033[0m N/A\n"; } else { @@ -1754,7 +1754,7 @@ void PIDinspect(const std::vector& pids, const std::vector& errorCode = GetLastError(); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { queryError = true; std::cerr << "\033[1;31mError:\033[0m Could not open process with PID " @@ -1780,7 +1780,7 @@ void PIDinspect(const std::vector& pids, const std::vector& DWORD size = MAX_PATH; if (QueryFullProcessImageNameA(hProcess, 0, exePath, &size)) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[34mExecutable Path:\033[0m " << exePath << std::endl; } else { std::cout << "Executable Path: " << exePath << std::endl; @@ -1788,7 +1788,7 @@ void PIDinspect(const std::vector& pids, const std::vector& } else { errorCode = GetLastError(); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { queryError = true; std::cerr << "\033[1;31mError:\033[0m Unable to query executable path. Error code: " << errorCode @@ -1815,14 +1815,14 @@ void PIDinspect(const std::vector& pids, const std::vector& // Use our little lookup table to give hints for specific errors auto user = GetUserNameFromProcess(pid); // dang it dude it feels like such a war crime using auto in c++ 😭✌️ if (user.has_value()) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[34mUser\033[0m: " << WideToString(user.value()) << std::endl; } else { std::cout << "User: " << WideToString(user.value()) << std::endl; } } else { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[1;34mUser\033[0m: \033[1;31mN/A (Failed to access info)\033[0m" << std::endl; } else { std::cout << "User: N/A (Failed to access info)" << std::endl; @@ -1832,7 +1832,7 @@ void PIDinspect(const std::vector& pids, const std::vector& std::string command = GetCommandLine(hProcess); - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[1;32mCommand\033[0m: " << command << std::endl; } else { std::cout << "Command: " << command << std::endl; @@ -1841,7 +1841,7 @@ void PIDinspect(const std::vector& pids, const std::vector& - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[1;32mWorking Directory\033[0m: " << workdir << std::endl; } else { std::cout << "Working Directory: " << workdir << std::endl; @@ -1885,7 +1885,7 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[1;32mRAM Usage\033[0m: " << FRAM << std::endl; // I know RAM is technically a "nerdy tech term" or whatever and it'd be more logical // to say "memory" but I feel like at this point everyone knows what RAM means @@ -1907,7 +1907,7 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin // TODO: add color text - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\n\033[1;35mWhy It Exists:\033[0m\n"; } else { std::cout << "\nWhy It Exists:\n"; @@ -1920,14 +1920,14 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\n\033[1;35mStarted:\033[0m " << GetReadableFileTime(pid) << std::endl; } else { std::cout << "\nStarted: " << GetReadableFileTime(pid) << std::endl; } if (pids.size() > 1) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\033[1;35mRelated Processes:\033[0m\n"; } else { std::cout << "Related Processes:\n"; @@ -1935,7 +1935,7 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin for (size_t i = 1; i < pids.size(); i++) { std::string relatedProcName = names[i]; - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cout << "\t\033[36m" << relatedProcName << "\033[90m (PID " << pids[i] << ")\033[0m\n"; } else { std::cout << "\t" << relatedProcName << " (PID " << pids[i] << ")\n"; @@ -2032,6 +2032,7 @@ ProcInfos findMyProc(const char *procname, HANDLE hSnapshot) { int main(int argc, char* argv[]) { SetConsoleOutputCP(CP_UTF8); + bool virtualTerminalEnabled = IsVirtualTerminalModeEnabled(); for (int i = 0; i < argc; ++i) { std::string arg = argv[i]; @@ -2050,7 +2051,7 @@ int main(int argc, char* argv[]) { std::cout << "\nwin-witr - Why is this running? Windows version by supervoidcoder." << std::endl; } - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { if (IsProcessElevated()) { std::cout << "\033[1;32mRunning with elevated privileges (Admin).\033[0m" << std::endl; } else { @@ -2105,7 +2106,7 @@ int main(int argc, char* argv[]) { i++; } catch (const std::invalid_argument& ia) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cerr << "\033[1;31mError:\033[0m PID argument is not a valid number." << std::endl; } else { std::cerr << "Error: PID argument is not a valid number." << std::endl; @@ -2113,7 +2114,7 @@ int main(int argc, char* argv[]) { return 1; // someday we should probably have proper error codes instead of just 1 for everything } catch (const std::out_of_range& oor) { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cerr << "\033[1;31mError:\033[0m PID argument is out of range." << std::endl; } else { std::cerr << "Error: PID argument is out of range." << std::endl; @@ -2133,7 +2134,7 @@ int main(int argc, char* argv[]) { PIDinspect(pids, trash, hshot); CloseHandle(hshot); } else { - if (IsVirtualTerminalModeEnabled()) { // ugh i have to do this EVERY SINGLE TIME + if (virtualTerminalEnabled) { // ugh i have to do this EVERY SINGLE TIME std::cerr << "\033[1;31mError:\033[0m --pid option requires an argument." << std::endl; } else { std::cerr << "Error: --pid option requires an argument." << std::endl; @@ -2157,7 +2158,7 @@ int main(int argc, char* argv[]) { PIDinspect(dwPids, r.names, hshot); CloseHandle(hshot); } else { - if (IsVirtualTerminalModeEnabled()) { + if (virtualTerminalEnabled) { std::cerr << "\033[1;31mError:\033[0m Could not find process with name " << procName << "." << std::endl; } else { std::cerr << "Error: Could not find process with name " << procName << "." << std::endl; From f9a07b3966071aa34bf7523697f20c7b430b9567 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 21:08:14 +0000 Subject: [PATCH 12/13] fix: local var supposed to be public --- main.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.cpp b/main.cpp index 92171eb..e1e08ef 100644 --- a/main.cpp +++ b/main.cpp @@ -105,6 +105,7 @@ std::string version = []() { #endif }(); thread_local std::string currentParentExe = ""; // to store the name of our own parent process for error hints +bool virtualTerminalEnabled = false; // cached result of virtual terminal check to avoid repeated function calls std::string WideToString(const std::wstring& wstr); @@ -2032,7 +2033,7 @@ ProcInfos findMyProc(const char *procname, HANDLE hSnapshot) { int main(int argc, char* argv[]) { SetConsoleOutputCP(CP_UTF8); - bool virtualTerminalEnabled = IsVirtualTerminalModeEnabled(); + virtualTerminalEnabled = IsVirtualTerminalModeEnabled(); for (int i = 0; i < argc; ++i) { std::string arg = argv[i]; From 44fa1daf3376905ea4b90e79f7bee0d37e076a24 Mon Sep 17 00:00:00 2001 From: supervoidcoder <88671013+supervoidcoder@users.noreply.github.com> Date: Wed, 11 Feb 2026 21:28:34 +0000 Subject: [PATCH 13/13] perf: enhance process time retrieval with optional pidMap parameter --- main.cpp | 72 +++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 55 insertions(+), 17 deletions(-) diff --git a/main.cpp b/main.cpp index e1e08ef..8258d1b 100644 --- a/main.cpp +++ b/main.cpp @@ -275,6 +275,11 @@ ULONGLONG GetProcessCreationTime(DWORD pid) { CloseHandle(hProcess); return 0; } + +ULONGLONG GetProcessCreationTime(DWORD pid, const std::unordered_map& pidMap) { + if (!pidMap.empty() && pidMap.find(pid) == pidMap.end()) return 0; + return GetProcessCreationTime(pid); +} // Process uptime helper // Reference: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocesstimes // While this does indeed give you the time since the process was created, @@ -311,6 +316,27 @@ std::string GetReadableFileTime(DWORD pid) { return oss.str(); } +std::string GetReadableFileTime(DWORD pid, const std::unordered_map& pidMap) { + ULONGLONG creationTime = GetProcessCreationTime(pid, pidMap); + if (creationTime == 0) return "N/A"; + time_t unixTime = windows_time_to_unix_epoch(creationTime); + time_t now = std::time(nullptr); + double diffSeconds = std::difftime(now, unixTime); + + std::string ago; + if (diffSeconds < 60) ago = std::to_string((int)diffSeconds) + " seconds ago"; + else if (diffSeconds < 3600) ago = std::to_string((int)diffSeconds / 60) + " minutes ago"; + else if (diffSeconds < 86400) ago = std::to_string((int)diffSeconds / 3600) + " hours ago"; + else ago = std::to_string((int)diffSeconds / 86400) + " days ago"; + + std::tm bt{}; + localtime_s(&bt, &unixTime); + + std::ostringstream oss; + oss << ago << " (" << std::put_time(&bt, "%a %Y-%m-%d %H:%M:%S %z") << ")"; + return oss.str(); +} + void PrintErrorHints(int errorCode, HANDLE hshot) { EnsureCurrentParentExe(hshot); // Use our little lookup table to give hints for specific errors @@ -1487,7 +1513,7 @@ return WideToString(stringBuffer); #endif } -void PrintAncestry(DWORD pid, HANDLE hSnapshot) { +void PrintAncestry(DWORD pid, HANDLE hSnapshot, const std::unordered_map& pidMap) { // now we're geting the name // we're making it slower by adding a bunch of snapshots // but again, we'll optimize and refactor later, i need this to work first @@ -1506,14 +1532,18 @@ UPDATE: This is done now!! // Build a PID→process map ONCE instead of walking 3 times - std::unordered_map pidMap; + std::unordered_map localPidMap; + const std::unordered_map* pidMapPtr = &pidMap; PROCESSENTRY32 pe32{}; pe32.dwSize = sizeof(PROCESSENTRY32); - - if (Process32First(hSnapshot, &pe32)) { - do { - pidMap.emplace(pe32.th32ProcessID, pe32); - } while (Process32Next(hSnapshot, &pe32)); + + if (pidMapPtr->empty()) { + if (Process32First(hSnapshot, &pe32)) { + do { + localPidMap.emplace(pe32.th32ProcessID, pe32); + } while (Process32Next(hSnapshot, &pe32)); + } + pidMapPtr = &localPidMap; } DWORD parentPid = 0; @@ -1526,8 +1556,8 @@ UPDATE: This is done now!! // here, we're gonna use the existing snapshot so it doesn't use another // it shouldn't harm performance, but even if it does, I want to get // the features done first before optimizing anything - auto currentIt = pidMap.find(currentProcessId); - if (currentIt != pidMap.end()) { + auto currentIt = pidMapPtr->find(currentProcessId); + if (currentIt != pidMapPtr->end()) { pe32 = currentIt->second; } @@ -1537,12 +1567,12 @@ UPDATE: This is done now!! std::vector exeNames; // sorry for the crap code but idk how to make multidimensional arrays yet 😭😭😭 std::vector pidNames; // hopefully the compiler can fix it std::vector parentPids; - ULONGLONG creationTime = GetProcessCreationTime(pid); + ULONGLONG creationTime = GetProcessCreationTime(pid, *pidMapPtr); bool found = false; while (pid != 0 && pid != 4) { found = false; - auto it = pidMap.find(pid); - if (it != pidMap.end()) { + auto it = pidMapPtr->find(pid); + if (it != pidMapPtr->end()) { const PROCESSENTRY32& entry = it->second; // Without comments, this literally looks like alien gibberish so lemme explain @@ -1552,7 +1582,7 @@ UPDATE: This is done now!! parentPid = entry.th32ParentProcessID; // this gets the pid of the PARENT pid (if there hopefully is one) parentPids.emplace_back(entry.th32ParentProcessID); // adds above to list - ULONGLONG parentTime = GetProcessCreationTime(entry.th32ParentProcessID); + ULONGLONG parentTime = GetProcessCreationTime(entry.th32ParentProcessID, *pidMapPtr); if (parentPid == 0 || parentPid == 4 || parentTime == 0 || parentTime >= creationTime) { // we can't be sure if the parent actually exists and windows isn't lying to us, @@ -1579,7 +1609,7 @@ UPDATE: This is done now!! std::reverse(pidNames.begin(), pidNames.end()); std::reverse(parentPids.begin(), parentPids.end()); int children = 0; // i wonder what would happen if you could set an emoji as var name - for (const auto& pair : pidMap) { + for (const auto& pair : *pidMapPtr) { const PROCESSENTRY32& entry = pair.second; // this time, our target pid is already stored at the very top of our list. @@ -1717,6 +1747,14 @@ void FindProcessPorts(DWORD targetPid) { void PIDinspect(const std::vector& pids, const std::vector& names, HANDLE hshot) { // ooh guys look i'm in the void DWORD pid = pids[0]; + std::unordered_map pidMap; + PROCESSENTRY32 pe32{}; + pe32.dwSize = sizeof(PROCESSENTRY32); + if (Process32First(hshot, &pe32)) { + do { + pidMap.emplace(pe32.th32ProcessID, pe32); + } while (Process32Next(hshot, &pe32)); + } std::string procName = GetProcessNameFromPid(pid, hshot); if (virtualTerminalEnabled) { if (procName == ""){ @@ -1913,7 +1951,7 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin } else { std::cout << "\nWhy It Exists:\n"; } - PrintAncestry(pid, hshot); + PrintAncestry(pid, hshot, pidMap); FindProcessPorts(pid); @@ -1922,9 +1960,9 @@ std::string FRAM = ""; // fram means formatted ram, i'm so creative at var namin if (virtualTerminalEnabled) { - std::cout << "\n\033[1;35mStarted:\033[0m " << GetReadableFileTime(pid) << std::endl; + std::cout << "\n\033[1;35mStarted:\033[0m " << GetReadableFileTime(pid, pidMap) << std::endl; } else { - std::cout << "\nStarted: " << GetReadableFileTime(pid) << std::endl; + std::cout << "\nStarted: " << GetReadableFileTime(pid, pidMap) << std::endl; } if (pids.size() > 1) {